- From: David Orchard <dorchard@bea.com>
- Date: Wed, 8 May 2002 14:35:52 -0700
- To: "'Anne Thomas Manes'" <anne@manes.net>, "'Mark Baker'" <distobj@acm.org>, "'Darran Rolls'" <Darran.Rolls@waveset.com>
- Cc: "'Dilber, Ayse, ALASO'" <adilber@att.com>, "'Joseph Hui'" <Joseph.Hui@exodus.net>, "'Edgar, Gerald'" <gerald.edgar@boeing.com>, "'Abbie Barbir'" <abbieb@nortelnetworks.com>, "'Allen Brown'" <allenbr@microsoft.com>, <www-ws-arch@w3.org>
Anne, Could you live with doing message integrity, authentication (credential exchange), confidentiality, trust model description as our first security WG, with a plan to do the SAML/XACML artifact passing in a second version? This seems to be a great 80/20 point for our first cut at requirements, and is what I proposed a few (many?) emails ago. Agreed that WS-Security may be a good start. I'm not as worried about the fact that it's not a standard, but more whether msft/ibm/verisign want to suggest ws-security be used. They may have IPR concerns with W3C IP policy. I figure we get the security wg going, and then ask the WG to evaluate the best solutions available for it's use. If WS-Security isn't available, then it may have to create something different, but hopefully that won't happen. Cheers, Dave > -----Original Message----- > From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org]On > Behalf Of Anne Thomas Manes > Sent: Wednesday, May 08, 2002 2:29 PM > To: Mark Baker; Darran Rolls > Cc: Anne Thomas Manes; David Orchard; Dilber, Ayse, ALASO; Joseph Hui; > Edgar, Gerald; Abbie Barbir; Allen Brown; www-ws-arch@w3.org > Subject: RE: D-AG006 Security > > > Mark, > > The problem does not already have a solution. There are a number of > standards that will be cited by this working group (XML Signature, XML > Encryption, XKMS, SAML, XACML, etc.), but there's no standard > that ties > these standards to Web services and SOAP. We need a standard > that defines > how to sign all or part of a SOAP message, how to represent the XML > signature in a SOAP message, how to obtain the keys necessary > to decrypt the > message, how to pass credentials in a SOAP message, and how > to represent > credential delegation in a SOAP message, etc., etc.. The best > specification > at our disposal is IBM/Microsoft/Verisign's WS-Security, but > it isn't a > standard. And it doesn't talk about how to pass SAML > assertions or XACML > policies in a SOAP message. It doesn't tie in XKMS. That's > why we need a > working group. > > Anne > > > -----Original Message----- > > From: www-ws-arch-request@w3.org > [mailto:www-ws-arch-request@w3.org]On > > Behalf Of Mark Baker > > Sent: Wednesday, May 08, 2002 4:26 PM > > To: Darran Rolls > > Cc: Mark Baker; Anne Thomas Manes; David Orchard; Dilber, > Ayse, ALASO; > > Joseph Hui; Edgar, Gerald; Abbie Barbir; Allen Brown; > www-ws-arch@w3.org > > Subject: Re: D-AG006 Security > > > > > > On Wed, May 08, 2002 at 02:12:27PM -0500, Darran Rolls wrote: > > > Sounds like a potential part of the charter wording > "ensuring reuse of > > > existing web service security standards..." > > > > That would be good too, in case we miss any. But do we really want > > to charter a WG only to find out that the problem already has a > > solution? > > > > As I said on our very first call, I strongly believe that we don't > > have as much work to do as most WG members might believe, at least > > for some areas (not all). I request the opportunity to demonstrate > > this. > > > > MB > > -- > > Mark Baker, Chief Science Officer, Planetfred, Inc. > > Ottawa, Ontario, CANADA. mbaker@planetfred.com > > http://www.markbaker.ca http://www.planetfred.com > > > >
Received on Wednesday, 8 May 2002 17:39:34 UTC